Content-Security-Policy
I'm sharing this to get feedback if I can improve it or to help others. I didn't see anything about it in the documentation. From a bit of testing, I think the minimal Content-Security-Policy header permissions required on the server to allow selfoss to run are:
add_header Content-Security-Policy "default-src 'none'; base-uri 'self'; connect-src 'self'; font-src 'self'; img-src 'self'; object-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; upgrade-insecure-requests; block-all-mixed-content; frame-ancestors 'none';" always;
(This is nginx syntax but you'll get the idea for Apache.)
Any thoughts, please? Maybe to add to the 'nginx configuration' wiki if it looks okay?
Complete thread:
- Content-Security-Policy -
nickrickard,
2023-05-11, 09:54
- Content-Security-Policy -
jtojnar,
2023-05-11, 15:43
- Content-Security-Policy - nickrickard, 2023-05-11, 17:30
- Content-Security-Policy -
jtojnar,
2023-05-11, 15:43